This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: ipchains question
From: "Paul Smith" <pauls@SCCWRP.ORG>
Date: Fri, 28 Jul 2000 07:34:05 -0700
Hello all,
What is the basic ipchains command that allows internal computers to
make use of a redhat 6.2 machine gateway for browsing the internet.
I've been playing around with ipchains using different commands, but
don't seem to beable to get my internal machines to browse the
internet. I've read the Howto and man pages, but I just want to get my
internal machines browing first before I even move onto tightening
security and such. My ethernet cards are working, I can ping off both
ends (outside onto the internet and internally to clients). My internal
client machines have private ipnumbers, same subnet as internal gateway
card, my isp dns numbers are in place. Am I missing something? Do the
network cards need to be lined up a certain way (internal eth0, external
eth1 is how I have it now)? Ipchains is set up, I can issue commands
and then delete the chains. I have even got it to block ping packets,
but no browsing seems to work from my client ends. Do I have to give
the browsers on my internal machines port numbers, or is the gateway
configuration enough?
===
Subject: RE: ipchains question
From: "Burke, Thomas G." <thomas_g_burke@md.northgrum.com>
Date: Fri, 28 Jul 2000 10:28:26 -0400
Do you have a routable internal network, or are you using masquerade?
===
Subject: RE: ipchains question
From: "Czerlinsky, Tim B" <tim.czerlinsky@unisys.com>
Date: Fri, 28 Jul 2000 09:36:33 -0500
be sure you have your RouteD enabled in Linuxconf, and with your setup, it
sounds like you have to have masquerading setup also. I had the same prob
with my server when I first got it setup, those 2 settings took care of
everything. They do have a great progoram, called PMFirewall, which is
available at http://www.pointman.org/PMFirewall/. I use it on my server,
have not had any problems with it. It's run from the command line, but it
is a wizard of sorts. It will setup your masquerading & firewall, and it
will prompt you for what ports you want to leave open, and what you want to
close. It only takes a few minutes to get it up & running, works great.
That is cheating however, since your not doing your scripts yourself. ;)
===
Subject: Re: ipchains question
From: "Paul Smith" <pauls@SCCWRP.ORG>
Date: Fri, 28 Jul 2000 07:53:15 -0700
I am under the impression that if I am using dsl, with a static ip address I
can use a redhat machine with ipchains and two network cards to allow multiple
internal machines to use that one redhat machine (gateway) for browsing the
internet. I suppose that I am trying to use masquerade.
===
Subject: RE: ipchains question
From: "Burke, Thomas G." <thomas_g_burke@md.northgrum.com>
Date: Fri, 28 Jul 2000 11:05:18 -0400
Here's a copy of my rc.firewall... This should set up ipmasq, & a halfway
decent firewall at the same time... If anyone sees anything they don't like
about this, please pipe up & let me know what you think I aught to be doing
differently...
#!/bin/sh
#
#
############################################################################
#
# rc.firewall
# Heavily plagiarized from Hal Burgiss (hburgiss@bellsouth.net)
#
# Tom Burke - 5 May 00 (tomii@erols.com)
#
############################################################################
#
# variables
#
# internal interface
INTERNAL_IF=eth0
INTERNAL_IP=192.168.68.1
INTERNAL_MASK=255.255.255.0
INTERNAL_NET=$INTERNAL_IP/$INTERNAL_MASK
#
#
# external interface
EXTERNAL_IF=ppp0
#
# These lines for dynamic IP
# EXTERNAL_IP=`ifconfig $EXTERNAL_IF | grep inet | cut -d : -f 2 | cut -d \
-f 1`
# EXTERNAL_MASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4`
#
EXTERNAL_IP=209.122.117.221
EXTERNAL_MASK=255.255.255.0
EXTERNAL_NET=$EXTERNAL_IP/$EXTERNAL_MASK
echo -n "External net -> "
echo $EXTERNAL_NET
#
#
# Loopback Interface
LOOPBACK=lo
#
#
# All addresses
ALLADDR=0/0
#
#
# location of ipchains
IPCHAINS=/sbin/ipchains
#
#
#
############################################################################
##
# We assume that all interfaces are up...
# Maybe this should be run in the PPP sartup script?
#
# First, we flush all rules
echo -n "Flushing all rules"
#
# Flush empty chains
$IPCHAINS -X
echo -n "."
#
# Flush Incoming rules (packets from the outside network)
$IPCHAINS -F input
echo -n "."
#
# Flush Outgoing rules (packets from the internal network)
$IPCHAINS -F output
echo -n "."
#
# Flush forwarding rules (masquerading stuff, etc)
$IPCHAINS -F forward
echo -n "."
echo "Done!"
#
############################################################################
#
#
# Handle the loopback device - we should accept anything coming from
# or going to this device, otherwise we'll break the system.
#
echo -n "Loopback.."
$IPCHAINS -A input -i $LOOPBACK -s $ALLADDR -d $ALLADDR -j ACCEPT
$IPCHAINS -A output -i $LOOPBACK -s $ALLADDR -d $ALLADDR -j ACCEPT
echo -n ".."
echo "Done!"
#
############################################################################
#
# Different system tweaks
echo -n "/proc tweaks.."
#
# IP Spoofing protection
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
fi
echo -n "."
#
# Block all ICMP echo requests (will this break my internal boxes'
# ability to ping the outside world?
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo -n "."
#
# Disable ICMP Redirect Acceptance
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $i
done
echo -n "."
#
# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i
done
echo -n "."
#
# Start IP Fragment Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo -n "."
#
# Start ICMP Broadcast Echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo -n "."
#
# Start Bogus Error Response Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo -n "."
#
# Start SYS COOKIES protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
echo -n "."
echo "Done!"
#
###########################################################################
#
# Block nonroutable IPs from entering our box
#
# Block 192.168.0.0/16 on outer interface, only
#
###########################################################################
#
echo -n "Blocking non-routable addresses.."
$IPCHAINS -A input -s 10.0.0.0/8 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -s 127.0.0.0/8 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -s 172.16.0.0/12 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -i $EXTERNAL_IF -s 192.168.0.0/16 -d $EXTERNAL_NET -j
DENY
echo -n "."
echo "Done!"
#
###########################################################################
#
# Trusted networks and services
# Put in rules to unconditionally allow connections from
# hosts/nets that might otherwise be blocked.
#
# Any services that we want global, unfiltered access to
# go here
#
# Currently, global unfiltered access is only
# allowed to our internal network.
#
# External network (the internet) can have full access to
# http, snmp, ftp, ssh, and nothing else
###########################################################################
echo -n "Trusted Networks.."
#
# Add the internal net's unconditional access, here.
echo -n "Internal Network..."
$IPCHAINS -A input -i $INTERNAL_IF -s $INTERNAL_NET -d $ALLADDR -j ACCEPT
#
#
# Stuff we want the outside world to be able to use...
echo -n "Global Services..."
#
# http (80)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 80 -j ACCEPT
echo -n "."
#
# ftp (21)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 20 -j ACCEPT
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 21 -j ACCEPT
echo -n "."
#
# smtp (25)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 25 -j ACCEPT
#
# ssh (22)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 22 -j ACCEPT
echo -n "."
echo "Done!"
#
# DNS
# May need to enable this so MASQ'd network can do DNS lookups
# to ISP's DNS machine (Seems to be working without it)
#$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 53 -j ACCEPT
#$IPCHAINS -A input -p udp -s $ALLADDR -d $EXTERNAL_NET 53 -j ACCEPT
#
###########################################################################
#
# Banned Networks
#
# Put troublemakers here - Rules to specifically block connections
# from hosts/nets that are known to cause problems. Packets are logged.
#
###########################################################################
#
# echo -n "Banned Networks.."
#
# Generic blocker/logger
# $IPCHAINS -A input -l -s [banned host/net] -d $EXTERNAL_NET [ports] -j
DENY
# echo -n "."
#
# This one blocks ICMP attacks
# $IPCHAINS -A input -l -b -i $EXTERNAL_IF -p icmp -s [host/net] -d
$EXTERNAL_NET -j DENY
# echo -n "."
# echo "Done!"
#
$IPCHAINS -A input -l -s 64.23.24.254 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 207.110.40.160 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 209.203.36.68 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 216.3.223.49 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 216.216.57.161 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 209.249.182.198 -d $EXTERNAL_NET -j DENY
echo -n "."
#
############################################################################
#
# Specific blocks/logging on external interface
#
# blocks off ports with known vulnerabilities
#
############################################################################
#
echo -n "Port Blocks and traps.."
#
# NetBEUI/Samba/NetBios - only on external interface
# Do not log - to much traffic
$IPCHAINS -A input -i $EXTERNAL_IF -p tcp -s $ALLADDR -d $EXTERNAL_NET
137:139 -j DENY
$IPCHAINS -A input -i $EXTERNAL_IF -p udp -s $ALLADDR -d $EXTERNAL_NET
137:139 -j DENY
echo -n "."
#
# Microsoft SQL - all interfaces
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 1433 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 1433 -j DENY
echo -n "."
#
# Postgres SQL
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 5432 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 5432 -j DENY
echo -n "."
#
# NFS
# Does this block mail?
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 2049 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 2049 -j DENY
echo -n "."
#
# Back Orifice
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY
echo -n "."
#
# NetBus
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 12345:12346 -j
DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 12345:12346 -j
DENY
echo -n "."
#
# Trin00
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 1524 -j DENY
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 27655 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 27444 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 31335 -j DENY
echo -n "."
#
# Multicast
$IPCHAINS -A input -s 224.0.0.0/8 -d $ALLADDR -j DENY
$IPCHAINS -A input -s $ALLADDR -d 224.0.0.0/8 -j DENY
echo -n "."
echo "Done!"
#
##########################################################################
#
# All I/O rules are done(?) - set up masquerade
#
##########################################################################
#
echo -n "Masquerading.."
#
# Install any helpers we might need - Our CU_SeeMe seems to
# work without the cuseeme module
/sbin/depmod -a > /dev/null 2>&1
/sbin/modprobe ip_masq_ftp > /dev/null 2>&1
/sbin/modprobe ip_masq_raudio > /dev/null 2>&1
/sbin/modprobe ip_masq_irc > /dev/null 2>&1
/sbin/modprobe ip_masq_icq > /dev/null 2>&1
/sbin/modprobe ip_masq_quake > /dev/null 2>&1
/sbin/modprobe ip_masq_user > /dev/null 2>&1
/sbin/modprobe ip_masq_vdolive > /dev/null 2>&1
#/sbin/modprobe ip_masq_mfw > /dev/null 2>&1
#/sbin/modprobe ip_masq_autofw > /dev/null 2>&1
#/sbin/modprobe ip_masq_portfw > /dev/null 2>&1
/sbin/modprobe ip_masq_cuseeme > /dev/null 2>&1
echo -n "."
#
# Masq timeouts - tcp 8hrs, tcp after fin pkt 60s, udp 10min
$IPCHAINS -M -S 14400 60 600
echo -n "."
#
# Tell kernel to allow masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward
echo -n "."
#
# Tell kernel to alow dynamic IP masquerading
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo -n "."
#
# Don't masq internal traffic
$IPCHAINS -A forward -s $INTERNAL_NET -d $INTERNAL_NET -j ACCEPT
echo -n "."
#
# Don't masq external interface direct
$IPCHAINS -A forward -s $EXTERNAL_NET -d $ALLADDR -j ACCEPT
echo -n "."
#
# Masq all internal IPs going outside
$IPCHAINS -A forward -s $INTERNAL_NET -d $ALLADDR -j MASQ
echo -n "."
#
# Set default rule on MASQ chain to deny
$IPCHAINS -P forward DENY
echo -n "."
#
## Allow all connections from the network to the outside
$IPCHAINS -A input -s $INTERNAL_NET -d $ALLADDR -j ACCEPT
$IPCHAINS -A output -s $INTERNAL_NET -d $ALLADDR -j ACCEPT
echo -n "."
echo "Done!"
#
#########################################################################
#
#This section manipulates the Type Of Service (TOS) bits of the
# packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
# in your kernel
echo -n "Tweak TOS bits for minimum delay.."
#
# Set telnet, www, smtp, pop3 and FTP for minimum delay
$IPCHAINS -A output -p tcp -d 0/0 80 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 22 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 23 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 21 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 110 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 25 -t 0x01 0x10
echo -n "."
#
# Set ftp-data for maximum throughput
$IPCHAINS -A output -p tcp -d 0/0 20 -t 0x01 0x08
echo -n "."
echo "Done!"
#
# Allow outgoing ICMP
echo -n "Allow outgoing ICMP.."
$IPCHAINS -A output -p icmp -s $INTERNAL_NET -d $ALLADDR -j ACCEPT
echo -n "."
echo "Done!"
#
# end of firewall
#
############################################################
# Allow www.dialpad.com calls
echo -n "DialPad.."
/usr/sbin/ipmasqadm autofw -A -v -u -r udp 51200 51201 -c tcp 7175
echo -n "."
/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 51200 51201 -c tcp 7175
echo -n "."
echo "Done!"
===
Subject: Re[2]: ipchains question
From: Brian Ashe <brian@dee-web.com>
Date: Fri, 28 Jul 2000 11:07:12 -0400
Hi Paul,
You can absolutely do as you say.
You should probably try looking here first...
http://members.home.net/ipmasq/
as it has a well written how-to as well as many other resources.
You can skip the part in the how-to about the kernel compile, a stock Redhat
kernel is set up to work.
===
Subject: Re: ipchains question
From: Jerry Winegarden <jbw@duke.edu>
Date: Fri, 28 Jul 2000 11:14:32 -0400 (EDT)
On Fri, 28 Jul 2000, Paul Smith wrote:
> I am under the impression that if I am using dsl, with a static ip address I
> can use a redhat machine with ipchains and two network cards to allow multiple
> internal machines to use that one redhat machine (gateway) for browsing the
> internet. I suppose that I am trying to use masquerade.
>
Yes, you will use ipchains to do ip masquerade.
I suggest you follow my cookbook (includes rc.firewall script,...)
http://www-jerry.oit.duke.edu/linux/bluedevil/HOWTO/ipchains_howto.html
===
Subject: Re: ipchains question
From: "M. Neidorff" <neidorff@bellatlantic.net>
Date: Sun, 30 Jul 2000 10:40:33 -0400
If this is a question (I'm not sure you are asking or not), then what you
say is correct. It is exactly what I am doing here. The one possible
misunderstanding is that ipchains is not required to make the
connection...it does security.
===
Subject: Re: ipchains question
From: Glen Lee Edwards <GLEdwards@uswest.net>
Date: Sun, 30 Jul 2000 10:55:19 -0500 (CDT)
On Sun, 30 Jul 2000, M. Neidorff wrote:
>If this is a question (I'm not sure you are asking or not), then what you
>say is correct. It is exactly what I am doing here. The one possible
>misunderstanding is that ipchains is not required to make the
>connection...it does security.
I could use some clarification on this: I'm in the process of installing
DSL, and am going to use a Linux box as a firewall, with 2 (maybe 3)
Windows machines behind it on the LAN. These are home PC's, nothing of a
real sensitive nature on them, and the Windows boxes aren't set up for
file or printer sharing, so no one can get in to see their files anyway.
Basically what you're saying is that I can just hook up the ethernet
cards, do some modifications on the Linux firewall to include the gateway
IP address, allow packet forwarding, assign each ethernet card an IP
address; and basically we're off?
I was told that to use ipchains I have to compile ipchain support into the
kernel - never recompiled the kernel, don't have a clue how to do this.
===
Subject: Re: ipchains question
From: "Mikkel L. Ellertson" <mikkel@Infinity-ltd.com>
Date: Sun, 30 Jul 2000 11:22:56 -0500 (CDT)
On Sun, 30 Jul 2000, Glen Lee Edwards wrote:
> On Sun, 30 Jul 2000, M. Neidorff wrote:
>
> >If this is a question (I'm not sure you are asking or not), then what you
> >say is correct. It is exactly what I am doing here. The one possible
> >misunderstanding is that ipchains is not required to make the
> >connection...it does security.
>
> I could use some clarification on this: I'm in the process of installing
> DSL, and am going to use a Linux box as a firewall, with 2 (maybe 3)
> Windows machines behind it on the LAN. These are home PC's, nothing of a
> real sensitive nature on them, and the Windows boxes aren't set up for
> file or printer sharing, so no one can get in to see their files anyway.
>
> Basically what you're saying is that I can just hook up the ethernet
> cards, do some modifications on the Linux firewall to include the gateway
> IP address, allow packet forwarding, assign each ethernet card an IP
> address; and basically we're off?
>
> I was told that to use ipchains I have to compile ipchain support into the
> kernel - never recompiled the kernel, don't have a clue how to do this.
>
> Glen
>
>
With a Red Hat kernel, it is already compiled in. (As long as it is a
2.2.x kernel. 2.0.x use ifpwadm...) Your setup is an easy one.
I have a DSL setup with a static IP that is also a WEB server, and
running sendmail with SPAM filtering, as well as masquarding up to 8
more machines inside the firewall. (Actualy set up to support up to 20,
but I haven't tried that...)
I would sugest that you consider running the Bastille script on your
firewall machine to improve its security. http://www.bastille-linux.org
Also, make sure you run something like logwatch, and keep a good eye on
your logs, because you will have people trying to break into your
machine. I get someone doing a scan at least 3 times a week. Sometimes
more.
===
Subject: Re: ipchains question
From: "ktb" <xyf@peoplepc.com>
Date: Sun, 30 Jul 2000 12:16:02 -0500
Glen Lee Edwards <GLEdwards@uswest.net> wrote:
> On Sun, 30 Jul 2000, M. Neidorff wrote:
>
> >If this is a question (I'm not sure you are asking or not), then what you
> >say is correct. It is exactly what I am doing here. The one possible
> >misunderstanding is that ipchains is not required to make the
> >connection...it does security.
>
> I could use some clarification on this: I'm in the process of installing
> DSL, and am going to use a Linux box as a firewall, with 2 (maybe 3)
> Windows machines behind it on the LAN. These are home PC's, nothing of a
> real sensitive nature on them, and the Windows boxes aren't set up for
> file or printer sharing, so no one can get in to see their files anyway.
>
> Basically what you're saying is that I can just hook up the ethernet
> cards, do some modifications on the Linux firewall to include the gateway
> IP address,
You need to modify your computers behind the firewall to see the firewall as
the gateway.
One other easy way to setup an ipchains script is pmfirewall. Download that
and intall, it configures everything for you.
hth,
kent
===
Subject: Re: ipchains question
From: "George Lenzer" <eno@home.stratos.net>
Date: Sun, 30 Jul 2000 13:46:44 -0400
Glen Lee Edwards <GLEdwards@uswest.net> wrote:
>On Sun, 30 Jul 2000, M. Neidorff wrote:
>
> ...These are home PC's, nothing of a real sensitive nature on them,
> and the Windows boxes aren't set up for file or printer sharing, so no
> one can get in to see their files anyway.
Even if you had Windows file and printer sharing enabled, it
wouldn't be open to the Internet behind the firewall. What
you really don't want is the Linux equivalent of Windows
file and printer sharing (Samba) enabled ON the firewall.
That is where a hacker/kiddie could get in and do some
damage (only to your firewall). with a properly secured
firewall, you can use Windows file and print sharing on your
internal LAN.
> Basically what you're saying is that I can just hook up the ethernet
> cards, do some modifications on the Linux firewall to include the
> gateway IP address, allow packet forwarding, assign each ethernet
> card an IP address; and basically we're off?
I'm not sure EXACTLY what you meant above, but I will try to
clarify... You will need to have two NICs in your Linux box
to do IP Masq. One NIC will connect to your DSL service and
will either be set up with a static IP (if your provider
assigned you one) or... wil be set up with DHCP if that is
what your provider uses. The other NIC will connect to you
LAN hub or switch. This NIC should be assigned a static IP
within your network. For example, I use the 192.168.1.0
network. My firewall is 192.168.1..1. Finally, all of your
windows machines would need to have their gateway setting
set to the IP addres of the NIC connected to your hub. In
my case, all of my internal machines have a gateway address
192.168.1.1.
> I was told that to use ipchains I have to compile ipchain support
> into the kernel - never recompiled the kernel, don't have a clue how > to do this.
You shouldn't have to do this with the stock kernel that
comes with RedHat 6.2, it is already compiled in. ipchains
sets up the NAT (Network Address Translation) rules for the
kernel's packet filter. If you WANT to run any servers
behind the firewall that you want accessible to the outside
world, you will need to use ipmasqadm in addition. My
advise to you if you are setting up a firewall for DSL is to
make sure that you are running as close as possible to no
services on the box. Disable telnet, http, pop3, imap,
smtp, samba, ftp, finget, talk, etc... At the very least,
edit your /etc/hosts.deny file to ALL:ALL and your
/etc/hosts.allow to ALL:LOCAL 192.168.1. This will only
allow your internal LAN access to the services on your
firewall and deny most intruders from outside.
===